Question
I found in my logs that someone is trying to attack my page. I have some sub-pages where data is pulled from an DB via an ID that is submitted by the URL. Like page.php?id=666 What I could find in my logs are these attacks:
https://stackoverflow.com/questions/22769313
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianpage.php?id=../../../../../../../../../../etc/passwd
page.php?id=/proc/self/environ
page.php?id=-1%27
And even more important, is my code weak? Might this attack have been successful?
$id = intval($_GET['id']);
$stmt = $con->prepare("SELECT *
FROM mytable AS myvar
WHERE myvar.ID =:ID");
$stmt->bindValue(':ID', $id, PDO::PARAM_INT);
$stmt->execute();
Thanks in advance!
Solution
No, this code is not vulnerable to SQL injections.
Both the intval conversion and prepared statement with PDO::PARAM_INT binding ensure that only integer values are used in the comparison of the statement that is being executed.
Anyways, the mentioned requests don’t seem to aim for identifying SQL injections only but several different vulnerabilities, e. g., Path Traversal (CWE-22) and Local File Inclusion (CWE-98) as well. So you may want to watch out for those vulnerabilities as well.
OTHER TIPS
Looks like the attacker tried to access documents and other data in various directories on your web server. I don't think it's SQL Injection. However, make sure you are protecting access to directories and all documents wherever necessary.
You're on PDO with prepared statements, that should keep you safe from injection.
